Tag Archives: hackers

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors’ computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

Users who visited the hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called “Browsealoud,” used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp’s chief technology officer Martin McKay said in a blog post:

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

“Texthelp has in place continuously automated security tests for Browsealoud – these tests detected the modified file, and as a result, the product was taken offline.”

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that “no customer data has been accessed or lost,” and that its customers will receive a further update as soon as the security investigation gets completed.

Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.

Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.

Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone’s battery to bulge out of its cover.

Described as a “jack-of-all-trades” by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.

Loapi Destroyed An Android Phone In Just 2 Days

When analyzed a Loapi sample, Kaspersky’s researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.

According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for “popular antivirus solutions and even a famous porn site.”

Upon installation, Loapi forces the user to grant it ‘device administrator’ permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.

This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.

Loapi Malware Aggressively Fights to Protect Itself

Researchers also said the malware “aggressively fights any attempts to revoke device manager permissions” by locking the screen and closing phone windows by itself.

Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.

By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.

“Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device,” the researchers concluded.

Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

The U.S. federal officials have arrested two hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world’s biggest and most popular websites by launching the massive DDoS attacks last year.

According to the federal court documents unsealed Tuesday, Paras Jha and Josiah White were indicted by an Alaska court last week on six charges for their role in massive cyber attacks conducted using Mirai botnet.

Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.

“Jha and his co-conspirators successfully infected hundreds of thousands of internet-connected computing devices, including computers in Alaska and other states, with malicious software,” the plea agreement said.

Paras Jha and his business partner Josiah White are the same people who were outed by blogger Brian Krebs earlier this year after his blog was also knocked offline by a massive 620 Gbps of DDoS attack using Mirai botnet.

According to Jha’s LinkedIn profile, he is a 21-year-old passionate programmer from Fanwood, U.S., who knows how to code in multiple programming languages and is positioned as president of a DDoS mitigation firm, ProTraf Solutions.

A week after the massive DDoS attack, the source code of Mirai was released on the widely used hacker chat forum Hackforums by Jha who, under the name Anna-senpai, wrote he had “made their money…so it’s time to GTFO.”

“So today, I have an amazing release for you,” he wrote. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Once Mirai source code was out, various cyber criminals started exploiting the IoT malware to launch powerful DDoS attacks against websites and Internet infrastructure, one of which was the popular DNS provider Dyn, which was DDoSed by a botnet of an around 100,000 Mirai malware-infected devices.

The U.S. Department of Justice has not released more details about the case yet. We will update this article with new information. Stay Tuned!

Hackers always first go for the weakest link to quickly gain access to your online accounts.

Online users habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.

Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text.

The aggregate database, found on 5 December in an underground community forum, has been said to be the largest ever aggregation of various leaks found in the dark web to date, 4iQ founder and chief technology officer Julio Casal noted in a blog post.

Though links to download the collection were already circulating online over dark-web sites from last few weeks, it took more exposure when someone posted it on Reddit a few days ago, from where we also downloaded a copy and can now verify its authenticity.

Researchers said the 41GB massive archive, as shown below, contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories.

The archive had been last updated at the end of November and didn’t come from a new breach—but from a collection of 252 previous data breaches and credential lists.

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” Casal said. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”

“This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The database has been neatly organized and indexed alphabetically, too, so that would-be hackers with basic knowledge can quickly search for passwords.

For example, a simple search for “admin,” “administrator” and “root,” returned 226,631 passwords used by administrators in a few seconds.

Although some of the breach incidents are quite old with stolen credentials circulating online for some time, the success ratio is still high for criminals, due to users lousy habit of re-using their passwords across different platforms and choosing easy-to-use passwords.

The most common yet worst passwords found in the database are “123456”, “123456789”, “qwerty,” “password” and “111111.”

It is still unclear who is responsible for uploading the database on the dark web, but whoever it is has included Bitcoin and Dogecoin wallets for any user who wants to donate.

To protect yourself, you are strongly advised to stop reusing passwords across multiple sites and always keep strong and complex passwords for your various online accounts.

If it’s difficult for you to remember and create complex passwords for different services, you can make use of the best password manager. We have listed some good password managers that could help you understand the importance of such tool and choose one according to your requirement.

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.

Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.

In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).

“Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US.” Group-IB says in its report.

Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations

Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.

“To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators.” Group-IB says in its report.

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.

“Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server.”

“The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack,“

“To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.”

Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.

The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data’s STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here’s how the attack works:

“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked,” Group-IB explains.

“Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules.”

The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they “withdrew cash from ATMs, one by one.”

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank’s internal network was the home computer of the bank’s system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.

Due to the growing number of threats in the computer world, ethical hackers have become the most important player for not only governments but also private companies and IT firms in order to safeguard their systems and networks from hackers trying to infiltrate them.

By 2020, employment in all information technology occupations is expected to increase by 22 percent, where demand for ethical hackers and IT security engineers will be the strongest. So, it’s high time that you should start preparing yourself in the field of ethical hacking.

Although there are many popular and best online courses available in the market, you can’t learn everything from a single book or a course.

Good news, we bring an amazing deal of this month for our readers, known as The Ultimate White Hat Hacker 2018 Bundle online hacking bundle, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

You will get at least 4 hacking courses for less than the average price you pay (as little as $1), and all 8 online courses for the average price (which is $12.11 at the time of writing).

Here’s the brief of all 8 courses which is included in this Pay What You Want deal and requires a minimum of the average price:

This online course helps you build towards mapping an application for insecurities, and understanding how to identify and mitigate threats, with WAPTP v3.1 which is a highly practical and hands-on training for web application penetration testing.

This course helps you gain a complex understanding of websites, and then learn how to exploit them to carry out a number of powerful cyber attacks and test the security of websites and apps, and fix vulnerabilities.

This course helps you learn network hacking techniques and vulnerability scanning to discover security issues and risks across an entire network, learning skills for which big companies are willing to pay top dollar.

Remember when you were a youngster, and lived in nightly fear of the monsters dwelling under your bed, or those hiding in the closet? That made it an act of foolishness to swing your legs over the side of the bed and expose munch-able ankles to the demons. Even worse would be to risk opening the closet door at night, to provide a portal for their crossover into the human world.
The only way to safely make it through the night was to stay motionless in bed, fully covered by your charmed-against-monsters favorite blanket, and await the safety of morning sunlight.

Krack

The demons of the night have probably long since retreated from your bedroom – but for adult internet users, they have re-emerged from the shadows, in the form of hackers and cyber attackers, still lurking, still waiting for their opportunity. And sadly, this time they are real – lately, the internet has been buzzing with the recently discovered WPA2 vulnerabilities known as KRACK.

Everyone who listens to the news occasionally, or checks their morning news feed before heading off to work, should be aware of some of the spectacular network breaches against major corporations. In fact, one or more of those violations may even have affected you personally, since several of them have resulted in massive amounts of sensitive personal information being hijacked by criminals. But such headline-grabbing attacks are far from the only depredations being carried out these days on the Internet, nor are the big corporations the only targets.

Small businesses the target of cybercriminals

Cybercriminals are starting to realize that attacks against lots of small businesses can be just as lucrative as a single attack against a major player. Ransomware attacks and other forms of malware breaches can yield significant profits when carried out in volume against small businesses, and now hackers have upped the ante to include attacks against individuals, in the form of breaching devices which are tied to the Internet of Things (IoT). It was recently demonstrated that even using an ordinary Wi-Fi connection can expose you to attack by a smart attacker, in physical proximity.

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Access 2 (WPA2) is the second, and theoretically stronger, incarnation of security protocols for wireless networks, but it was recently shown to have a vulnerability which allows attackers to modify how the protocol works so that that network traffic can be intercepted. Depending on how a specific network is configured, it would have even been possible for malware to be inserted, without the attacker ever owning or disturbing standard password security, thus evading detection.

This capability makes wireless devices, including all those connected to the IoT, vulnerable to Key Reinstallation Attacks (KRACK), which compromise the encryption component of the WPA2 protocol. Without getting into the technical weaknesses which make this possible, you should know that such attacks are likely whenever a cybercriminal is physically positioned close enough to a device on a Wi-Fi network so that the signal can be intercepted and manipulated. What all this means for devices connected to the IoT, is that they would need to have software or firmware updates which close up the vulnerability to KRACK attacks. The affected manufacturers have begun issuing patches to address the problem but remember that you don’t have to only rely on patches – there are other ways to protect yourself.

Are More IoT devices Driving More Cyber Attacks?

The short answer to this is – yes. Cybercriminals are notoriously opportunistic, and the potential ubiquity of IoT devices provides merely endless possibilities for security breaches. Just “listening in” on such network traffic can provide useful, sensitive information about accounts and other data that can be converted into profits.

The monsters under your bed have grown up with you, and they have now moved into the shadows of cyberspace, waiting to nip at your ankles or to have you barge brazenly into their closet stronghold. And unfortunately, this time they are real – make sure you have a chance to fight them off by arming yourself with a protective blanket.

Ride hailing firm Uber has revealed a major hack last year exposed the personal data of 57 million users. Even worse is the news that Uber’s security chief paid the hackers $100,000 to cover up the incident in the hope of preventing the breach from going public.

The incident was announced by Uber CEO Dara Khosrowshahi who claimed that he had only recently learned about it himself. Two senior managers in charge of IT security where fired shortly afterwards.

A very serious breach

According to the report, two hackers were able to download names, email addresses and mobile phone numbers of 57 million Uber users around the world and the names and driver’s license numbers of 600,000 U.S. drivers. Although credit card numbers and passwords were not included, the stolen details would be enough for cybercriminals to start an identity fraud operation.

Instead of reporting the breach to authorities and services users – as required by US law – Uber decided to pay the hackers to keep quiet. The two individuals involved in the attack were paid $100,000 in return for supplying proof that they had deleted the stolen data.

An ongoing problem

Uber already has a reputation for breaking rules, and for tracking users even after they have closed the app. The sheer volume of valuable personal data held by Uber makes it a very attractive target for hackers, but the company’s attempts to hide their activities increases customer distrust.

Although a data breach is embarrassing and expensive, attempting to cover it up is even more damaging – people simply do not trust the service to handle their personal data safely.

Protecting yourself now

Although Uber claim that login details were not compromised, you should still change your password just in case. Make sure that you create a strong password to further improve security.

And don’t forget, hackers will also try and steal data direct from your mobile phone, not just Uber’s data centre. Protect your smartphone with the free Mobile Security app, blocking the malware that steals passwords, credit card details and other sensitive personal information.

Data Theft Incidents on the Rise

As we informed on a previous post, in the first half of 2017, more data was stolen than in all of 2016. The 918 security breaches registered by Gemalto’s Breach Level Index led to the theft of almost 2 billion records, which is 164% more than the figures for the whole of last year. For companies to avoid being in that position, the first step is to be aware of the importance of implementing effective security measures and policies.

The internet continues to create conflicts for parents who want to give their children the benefits it provides without exposing them to the dangers it harbors. Online videos games are part of that struggle. Staying up-to-date on safety issues helps parents better negotiate the benefits and costs of online gaming.

Parents want to provide their children with the tools for expanding their imaginations. Once it was the humble Lincoln Log set. Now it’s user-generated, multi-platform, immersive online gaming systems. With games like Roblox, kids now have the power to build any world they can imagine and socialize with other players from around the world.

Roblox touts 64 million active players every month, who log on to “create adventures, play games, roleplay, and learn with friends.”

Children put in hundreds of hours playing games like Roblox, and they’re emotionally connected to their accounts — to a level many adults may not consider. When a child’s account is stolen, they’ve lost more than just their username and password; they’ve given up the worlds they’ve built, the items they collected, the avatars they’ve customized, the friends they’ve made and any future plans for the game. It can be devastating.

Given the power and creativity Roblox provides children, the company takes a proactive stance to protect their players from inappropriate content, online hackers, cyber thieves and other internet dangers. Roblox provides resources like in-game moderators, parental guides and content controls to help parents. However, it’s impossible to monitor the activity of so many players.

Hackers can steal player accounts or infect computers with malware, but knowing the common safety issues will help you keep your devices safe and your child’s imagination on track.

Can you get a virus from Roblox?

It’s impossible to get a virus playing within the Roblox platform because the game doesn’t “permit, or have the functionality, to upload, retrieve, or otherwise disseminate harmful executables or malware via its platform,” says Brian Jaquet, the company’s Senior Public Relations Director.

However, while hackers can’t introduce a virus within the Roblox game, they can find ways to get kids to leave the platform where infection or account theft is possible.

Phishing attacks

Pop-up ads or chat links offering free Robox or custom items can lure children to fake phishing websites designed to infect your computer or steal your child’s Roblox account. It’s similar to how phishing attacks work on YouTube. Roblox hackers entice users away from the game with promises of free gifts or Robux, the platform’s in-game currency, if they click a link within a chat message or pop-up ad.

Malware

While on a malicious website, hackers trick users into downloading an executable program having an .exe extension. Once opened, the program infects the computer with malware designed to steal data, which can include your banking formation and passwords.

Stolen Passwords

Phishing attacks can also steal Roblox accounts while on fake websites. Players are prompted to login with their Roblox username and password with promises of free Robux. Their information is then saved and can be used to steal their password. The image below is from a phishing website.

The Roblox community rules clearly state players are forbidden to “sell, trade or give away Robux, digital goods or game codes except through official channels on the Roblox platform.” Players can buy and sell game items, but only as Builders Club members. Sharing outside programs on the Roblox site is not allowed, but it does happen.

Scams

Hackers can also steal from players while on the Roblox platform. These scams commonly use pop-up ads promising free items, but instead of a new weapon or t-shirt, players get their Robux stolen or accounts hijacked.

Fake maintenance

The so-called “Fake Maintenance Scam” is a phony graphic user interface (GUI) that tells users the site is “undergoing maintenance”. The scam is effective because it tricks players into giving away their login information. Younger or newer players, upset at their game’s interruption, are more likely to sign back in without questioning the GUI’s authenticity.

Here are some maintenance guidelines to help children identify when Roblox is actually undergoing maintenance:

An orange banner (see above) will appear on the Roblox website warning you before maintenance begins.

When the banner changes to red, you won’t be able to play Roblox until maintenance is finished.

Maintenance usually occurs when you’re asleep or at school.

Roblox will never ask for your username and password anywhere except the home page.

Botnets

Scammers can use “bots” to make money from Roblox players. Bots are automated programs that perform a specific set of tasks. On Roblox, the most common bot task is to create a fake account and message players, asking them to visit a website to get free Robux.

Hackers released thousands of bots or a “botnet” during the 2017 Group Wall Scam. The botnet was sending thousands of players to a monetized YouTube video to increase its number of views.

How to prevent attacks

Here are some ways to keep your little Roblox players and their devices safe.

Enable two-step verification

Two-step verification adds an extra layer of security to your child’s account by requiring an extra step to prove your identity. Any time your child signs in on a new device, Roblox will require you to enter a six-digit security code. For your child’s account, use a secure email address only you can access. Anyone trying to change the account’s password will need that security code.

Create a strong password

Even without phishing scams and fake GUIs, hackers have ways of guessing your child’s passwords using software. Teach your child that they should never write down their password or share it with anyone except you. Follow password creation guidelines to help them build a strong password that’s easy to remember.

Sign out when on shared devices

If your child plays Roblox on multiple devices, like a friend’s or a school’s computer, remind them sign out of their account when they’re done. It’s easy for others to access accounts when they’re simply left open in a browser.

Check the link before you click

You never want your child going to another website from the Roblox platform. If they do, they’re probably somewhere they shouldn’t be. Help them understand that URLs are an address for websites, like the one where they live. Just like they need to make sure they’re getting off the bus at the right stop, they need to check to make sure they’re on the right web address. For the Roblox website, they can look for the roblox.com address in the browser’s address bar. For example: https://en.help.roblox.com.

Set messaging and chat to “Friends”

Control who can communicate with your child through the account’s privacy settings. In the “Privacy” settings tab, users can control who can chat, message, invite and join them in the game. Restrict contact to “Friends” to keep your kid’s interactions safer. They’ll be less likely to encounter a malware link. However, you will still need to manage who their “Friends” are to keep the group safe.

If your child is part of the Builders Club, they can set their group to “Private” to keep out scammers.

Report Abuse and Scammers

Roblox employs moderators to monitor content, blocking inappropriate ads and warning players of scams. But with the game’s large number of users, player interactions, trading systems and user-generated content, it’s challenging to monitor everything.

Encourage your children to report any inappropriate behavior or scams. Roblox makes it easy for them to report others for a variety of abuses, from cyberbullying to posting offsite links. Tell them to find a grown up — either you or a moderator — if they have a bad feeling.

Free lunches

Use Roblox to teach your kids that there’s no such thing as a free lunch. If something sounds too good to be true, it probably is. If someone is offering free Robux or customized avatar t-shirt they’ve been wanting for weeks, it’s 99.9 percent likely to be a scam. The official Roblox trading system has specific rules to follow for exchanging items.

Download a good antivirus software

Antivirus software will protect your devices from getting infected by viruses or eliminating them if you do. There’s no substitute for vigilance, but downloading an antivirus software can eliminate the stress and worry that comes with the combination of children, the internet and digital devices.

As a parent, the last thing you want is to have your child’s social and creative Roblox experience end up as a bad memory. There’s more at stake than just a video game. Friends, digital worlds and hours of play can be stolen alongside usernames and passwords. Taking a little time to educate your kids about the real world can go a long way in keeping their digital one safe.

Recently, researchers found an Equifax portal guarding access to 14,000 personal records being secured by the password “admin/admin”. The issue has since been fixed, but the example highlights the lack of importance given to password creation that continues to plague cyber security for businesses and individuals.

Most people still use passwords that are easy for cyber thieves to guess despite the devastating effects of identity theft. But the problem isn’t just about carelessness; it’s about human nature. Understanding the problem will help you create better passwords.

The Human Predictability Problem

The founder of our current day password strategy, Bill Burr, recently admitted he regrets his original recommendations. While working at the National Institute of Standards and Technology (NIST) in 2003, Burr authored a guide that laid out two fundamental rules for password creation:

It must have a combination of alphanumeric, uppercase, lowercase, and special characters.

It should be changed every 90 days.

Rule number 1 results in a password like “S3cur1Ty%”, which looks random, but it’s actually not that hard for cyber criminals to crack. It’s easy because humans are so predictable.

For example, most of us tend to capitalize the first letter in our passwords. We also use the same numerical substitutions for letters (ex. “3” for “E”, “1” for “i”). Those two common strategies alone make our passwords much more predictable.

The NIST has since revised Burr’s guidelines, admitting that requiring complex passwords cause users to “respond in very predictable ways to the requirements imposed by composition rules.”

Rule number two results in a similar problem. People who change their passwords regularly tend to only make minor alterations, like simply adding a “1” at the end (not exactly creating the Enigma Code there). The NIST guidelines no longer suggest changing passwords every 90 days. Instead, you should change them when it’s appropriate, like after the Equifax security breach.

How do cyber criminals steal passwords?

Hackers have many way of stealing your passwords.

Brute Force Attacks

Hackers use software that repeatedly tries many different password combinations. Since the reigning champion of worst passwords is still “123456”, brute force attacks are a reliable way to steal your information. Brute force password “cracking” software comes with names like Brutus, RainbowCrack, and Wfuzz and are free to download.

Dictionary Attack

As the name implies, dictionary attack software searches through a prearranged list of words, trying different combinations and variations. Ironically, cyber criminals use stolen passwords to make stealing passwords easier. Cyber thieves often purchase stolen password lists on the online black market. They buy them, not for targeting individuals, but for determining the most common passwords people use. They’re searching for human predictability so they can narrow their future searches.

Even legitimate businesses buy stolen passwords in an effort to safeguard their customers’ information

Because of these password lists, the NIST recommends sites that rank a users’ password strength by comparing it “against a ‘black list’ of unacceptable passwords.” If you try and use a password on such a list, the website may reject it.

Wi-Fi Monitoring Attack

Password thieves can also steal your password when you’re connected to public Wi-Fi. Special software alerts hackers when you connect to Wi-Fi and enter your username and password. They intercept and record the transmitted data, stealing your credentials. Wi-Fi attacks and recently discovered vulnerabilities are making Wi-Fi monitoring attacks a bigger threat.

Phishing Attacks

Attackers use fake emails and websites to steal your passwords. Phishing attacks are usually emails disguised as legitimate company correspondence. The emails typically direct you to download an attachment, click a link, or sign into a website.

That email from your “bank” looks legitimate, but its real author may be a thief directing you to enter your username and password into a fake website. Although hackers are getting more sophisticated, there are still effective ways to spot phishing attacks before it’s too late.

Updated strategies for creating passwords

Creating a good password means finding a balance between memorability and randomness. Here are some new strategies based on the updated NIST guidelines.

Stop being predictable

Now that you understand how Burr’s guidelines actually resulted in more predictable passwords, you can avoid these issues by creating personalized randomness.

Personalized Substitutions

Instead of using common substitutions (ex. “4” for “A”, “$” for “S”), find your own substitutions based on individual associations. For example, if your name begins with A and you’re the third child, then substitute all your A’s with 3’s. You can also substitute all S’s with the number of S’s in the title of your favorite horror movie (ex. “Texas Chain Saw Massacre” = 4).

Capitalization

Avoid predictable patterns in letter capitalization, like upper-case letters in the first and last position. Use a personal preference or choose to capitalize a letter where it aids memorization the most.

Using personal connections makes remembering your password easier and guessing it much harder.

Length

The longer your password, the better. More characters guard against brute force attacks by increasing complexity. At minimum, you should have eight characters. The NIST recommends websites encourage users to create passwords as “lengthy as they want.” But remember: the longer the password, the harder it will be to remember.

Use Acronyms

Using acronyms built from a longer phrase is a good way to create a secure password that’s easy to remember. Here are the steps:

Find a phrase you can remember easily. Example: “Don’t count your chickens before they hatch”

Create an acronym by using the first letters of each word in the phrase. So, “dcycbth.”

Add some numbers and special characters based on the substitution and capitalization strategies listed above. For example, dcYcb3Th% is a strong password that’s easy to remember.

The longer and more personalized your initial phrase the stronger the resulting password will be.

Note: “personalized” doesn’t mean personal. Never use personal information like your date of birth, hometown name, or other piece of data a thief could easily find. Therefore, an example of a bad phrase to use would be “My Birthday Is On June Fifteenth Nineteen Eighty.

Use a Passphrase

Passphrases are built from random words strung together. They help thwart dictionary attacks that look for common patterns and connections. If you used a random noun generator to produce the four words “hallway”, “routine”, “travel” and “tsunami” you could build a password with strong randomness and length: hallwayroutinetraveltsunami. Add some uncommon substitutions and special characters and you’ve created a strong, memorable password.

Note: some security analysts argue the strength of random words passphrases are less secure than we might think given the limited number of words the average college educated person knows (80,000 words).

Use Two-Step Verification

If you haven’t set up two-step verification (2SV) on your accounts, you should do it as soon as you can. Also known as two-factor authentication, 2SV provides an extra layer of protection by having you prove your identity. Many 2SV systems work by sending a text to your phone with an access code. After you enter the code, the website gives you access to your account.

Vulnerabilities exist in 2SV because of the possibility of Wi-Fi and phishing attacks, but the NIST still recommends the practice.

Google recently announced its 2SV program called Google Prompt for Android phone phones The company claims Google Prompt is an easier and more secure method of authenticating an account than traditional 2SV.

Get a Password Manager

Another problem with passwords is that around 60% of people use the same one for multiple accounts. The downsides are obvious, but with so many of our online services requiring passwords, creating unique and memorable passwords isn’t practical.

Password managers are increasing in popularity because they create secure passwords you don’t have to remember. Most work by having you create a master password. The manager will then let you create and save more passwords for each of your outside accounts. They will even randomly generate passwords for you. If you can remember your master password, you can access all of your other ones.

When creating strong passwords, it’s definitely good not to follow the crowd. Secure passwords should be as unique as you are, so follow the NIST guidelines and keep access to your accounts in your hands, not those of cyber criminals.